Skip to content

feat: sign windows binaries #13086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
Apr 29, 2024
Merged

feat: sign windows binaries #13086

Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
43c1463
feat: sign windows binaries
sreya Apr 27, 2024
29f5da3
typo
sreya Apr 27, 2024
d4ae773
java
sreya Apr 27, 2024
cd2b975
whoops
sreya Apr 27, 2024
00ba1bf
checkout first
sreya Apr 27, 2024
535bdff
access-token
sreya Apr 27, 2024
d0cc85e
idk
sreya Apr 27, 2024
156b5ea
wrong principal
sreya Apr 27, 2024
f136fa1
test token
sreya Apr 27, 2024
f7879a7
wrong format
sreya Apr 27, 2024
6fad022
big O
sreya Apr 27, 2024
ea9afe9
i mean wtf
sreya Apr 27, 2024
902bff8
update CI workflow
sreya Apr 27, 2024
640cc1b
update windows script comment
sreya Apr 27, 2024
40449b8
remove test release workflow
sreya Apr 27, 2024
afc9564
make fmt
sreya Apr 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
update CI workflow
  • Loading branch information
@sreya
sreya committed Apr 27, 2024
commit 902bff86e8c9c1eaa3ffdd1bbf2f5926a75b36d5
39 changes: 39 additions & 0 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,13 @@ jobs:
- name: Setup Node
uses: ./.github/actions/setup-node

# Necessary for signing Windows binaries.
- name: Setup Java
uses: actions/setup-java@v4
with:
distribution: "zulu"
java-version: "11.0"

- name: Install nsis and zstd
run: sudo apt-get install -y nsis zstd

Expand Down Expand Up @@ -161,10 +168,32 @@ jobs:
AC_CERTIFICATE_PASSWORD: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
AC_APIKEY_P8_BASE64: ${{ secrets.AC_APIKEY_P8_BASE64 }}

- name: Setup Windows EV Signing Certificate
run: |
set -euo pipefail
touch /tmp/ev_cert.pem
chmod 600 /tmp/ev_cert.pem
echo "$EV_SIGNING_CERT" > /tmp/ev_cert.pem
wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar -O /tmp/jsign-6.0.jar
env:
EV_SIGNING_CERT: ${{ secrets.EV_SIGNING_CERT }}

- name: Test migrations from current ref to main
run: |
make test-migrations

# Setup GCloud for signing Windows binaries.
- name: Authenticate to Google Cloud
id: gcloud_auth
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ secrets.GCP_CODE_SIGNING_WORKLOAD_ID_PROVIDER }}
service_account: ${{ secrets.GCP_CODE_SIGNING_SERVICE_ACCOUNT }}
token_format: "access_token"

- name: Setup GCloud SDK
uses: "google-github-actions/setup-gcloud@v2"

- name: Build binaries
run: |
set -euo pipefail
Expand All @@ -179,16 +208,26 @@ jobs:
build/coder_helm_"$version".tgz \
build/provisioner_helm_"$version".tgz
env:
CODER_SIGN_WINDOWS: "1"
CODER_SIGN_DARWIN: "1"
AC_CERTIFICATE_FILE: /tmp/apple_cert.p12
AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }}
AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
AC_APIKEY_FILE: /tmp/apple_apikey.p8
EV_KEY: ${{ secrets.EV_KEY }}
EV_KEYSTORE: ${{ secrets.EV_KEYSTORE }}
EV_TSA_URL: ${{ secrets.EV_TSA_URL }}
EV_CERTIFICATE_PATH: /tmp/ev_cert.pem
GCLOUD_ACCESS_TOKEN: ${{ steps.gcloud_auth.outputs.access_token }}
JSIGN_PATH: /tmp/jsign-6.0.jar

- name: Delete Apple Developer certificate and API key
run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}

- name: Delete Windows EV Signing Cert
run: rm /tmp/ev_cert.pem

- name: Determine base image tag
id: image-base-tag
run: |
Expand Down
Loading